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Abstract — Central cryptographic functionalities such as en- 
cryption, authentication, or secure two-party computation cannot 
be realized in an information-theoretically secure way from 
scratch. This serves as a motivation to study what (possibly 
weak) primitives they can be based on. We consider as such 
starting points general two-party input-output systems that do 
not allow for message transmission, and show that they can be 
used for realizing unconditionally secure bit commitment as soon 
as they are non-trivial, i.e., cannot be realized from distributed 
randomness only. In particular, our result implies that any two- 
qubit state without hidden-variable model has an input-output 
behavior allowing for unconditional bit commitment. 
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I. Introduction 

A. Bit Commitment 

Modern cryptography deals — besides the classical tasks 
of encryption and authentication — with secure cooperation 
between two (or more) parties willing to collaborate but 
distrusting each other. Examples of important functionalities 
of such secure two-party computation are bit commitment 
and oblivious transfer. In this note, we concentrate on bit 
commitment, a primitive which, for instance, allows for fan- 
coin flipping over the telephone ||Blu83l and has central 
applications in interactive proof systems. 

A bit commitment scheme is a pair of protocols, commit 
and open, executed by two parties, Alice and Bob. First, 
they execute commit where Alice chooses a bit b as input. 
Later, they execute open where Alice reveals the bit h to Bob. 
The security properties of bit commitment are the following. 
Security for Alice ensures that the commitment is hiding: The 
commit protocol should not give any information about the 
bit b to Bob. Security for Bob, on the other hand, means that 
after the execution of commit, b cannot be changed anymore 
by Alice. Ideally, one would like these security properties to 
hold in an information-theoretically secure way. 

It is well known that bit commitment that is uncondi- 
tionally secure for both parties cannot be implemented from 
(noiseless) classical commmunication only — and the same 
is true even for (noiseless) quantum communication |May97J , 
IILC97I . If one is not willing to reduce the security to being 
computational for one party or the other, it becomes a natural 
question what information-theoretic primitives allow for real- 
izing unconditionally secure bit commitment. This question 
has been studied intensively by many authors already, and 
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several optimistic results have been obtained: Bit commit- 
ment can be realized from communication over noisy chan- 
nels [Cre97|, IW NI03I or from pieces of correlated random- 
ness | [rMQNW04[ , OWW04 1. flMNWOe]. The present article 
corrects and strongly extends preliminary results presented 
in flWW05aL 



B. Non-Local Correlations 

Motivated by the fact that entangled quantum states can 
show a so-called non-local behavior, the question has been 
studied whether such correlations allow for realizing cryp- 
tographic primitives in an unconditionally secure way as 
well. A two-partite input-output system is characterized by 
a conditional distribution Pxy\uv^ where U and V stand for 
the inputs and X and Y for the outputs to the systems on the 
left and right hand sides of the system, respectively. Intuitively 
speaking, such a system is non-local if its behavior cannot be 
explained by pre-determined information. On the other hand, 
we only consider correlations that are, at the same time, non- 
signaling, i.e., which do not allow for message transmission 
from one side to the other. An example of such a system is 
the non-local box {NL box for short) proposed by Popescu 
and Rohrlich fPR97l, the behavior of which is as follows: All 
variables are binary, each output is a uniform bit, independent 
of the pair of inputs, but X (B Y = U /\ V always holds. 
Interestingly, an NL box is, cryptographically speaking, the 
same as one-out-of-two bit oblivious transfer LWWOSb | and, 
hence, does allow for realizing bit commitment as well. It 
has been argued that this did not contradict Mayers' no-go 
result because the classical system does, in contrast to a shared 
quantum state, not allow for a delay of one of the inputs, 
i.e., provides no output on either side before both inputs are 
given (a property that, actually, makes it signaling) [SGP05I . 
However, this explanation turned out to be wr ong: NL bo xes 
with delay still allow for bit commitment lBCU"'"06l . A 
second explanation that was given is that NL boxes are more 
non-local than any quantum state. In contradiction to this 
intuition, we show that any non-local system providing binary 
outputs allows for unconditionally secure bit commitment. 
More precisely, we show an all-or-nothing result on such 
systems (Theorem[3]l: They are either simulatable with shared 
randomness, or allow for unconditional bit commitment; our 
condition is thus tight. This also means that the crucial 
difference to Mayers' result is that there, entangling attacks 
are possible, whereas we only consider the states' classical 
behavior 
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II. Preliminaries 

A. Bit Commitment 

A bit commitment scheme is a pair of protocols Commit 
and Open executed by two parties Alice and Bob. First, Alice 
and Bob execute Commit where Alice has a bit h as input. Bob 
either accepts or rejects the execution of Commit. Later, they 
execute Open where Bob has output [accept^ b') or reject. 
The two protocols must have the following (ideal) properties: 

• Correctness: If both parties follow the protocol, then Bob 
always accepts with b' — b. 

• Hiding: If Alice is honest, then committing to 6 does not 
reveal any information about b to BobQ 

• Binding: If Bob is honest and accepts after the execution 
of Commit, then there exists only one value b' (which is 
equal to b, if Alice is honest) that Bob accepts as output 
after the execution of Open. 

In the following we call a bit commitment scheme secure, if 
it fulfills the above ideal requirements except with an error 
that can be made negligible (as a function of some security 
parameter n). 

B. Notation 

Let W : X ^ y ?L stochastic matrix with rows indexed 
by elements of X and columns indexed by elements of y. 
We denote the entries of W by = Wx{y) and the 

row vector indexed by x by Wx- Wx{-) defines a probability 
distribution on y for every x & X, i.e., for all x it holds that 

W{y\x)>Q Vy, 

Y.W{y\x) = l. 

V 

We denote by conv(M^) the convex hull of the set {M/^a^jx e 
X}, i.e., the convex hull of the row vectors of W . We call 
Wxq an extreme point of this set if the convex hull of the 
set ({W^rla; G '^}\{W:eo}) is strictly smaller. We denote the 
set of extreme points by Gxtr(conv(W^)). We call Wzq non- 
extreme if it is not an extreme point of conv(M^). We denote 
by x" — (a;i, . . . , Xn) a sequence of elements in X or a vector 
in A"". If / := . . . , i^] C {1, 2, . . . , n} then x^ denotes 
the sub-sequence [xi^ ^Xi^, ■ ■ ■ ,Xi^) of x"'. We denote by h{-) 
the binary entropy function. 

We call a function f{n) > negligible if for any nonzero 
polynomial p{n), there exists uq such that 

Vn > no, f{n) < l/p{n) . 

We call f{n) overwhelming if 1 — f{n) is negligible. 

C. Non-Signaling Boxes 

A non-signaling box is defined by a stochastic matrix 

W :U xV ^X xy 

as follows: Alice gives an input u E U and Bob gives an 
input V E V. Alice gets output x E X and Bob y E y 

'Bob's views for 6 = and 6 = 1 are indistinguishable. 



with probability W{xy\uv). Furthermore, the following non- 
signaling conditions must hold 

''^^W{xy\uv) ='^^W{xy\uv') \fu,v,v',x, 
y y 

''^^W{xy\uv) =''^^W{xy\u'v) yu,u',v,y, 

X X 

i.e., the distribution of Alice's output is independent of Bob's 
input (and vice-versa). A party receives its output immediately 
after giving its input, independently of whether the other has 
given its input already. Note that this is possible, since the box 
is non-signaling. Furthermore, after a box is used once, it is 
destroyed. The set of non-signaling boxes can be divided into 
two types: local and non-local. A box is local if and only if 
it can be simulated by non-communicating parties with only 
shared randomness as a resource. This means that there exist 
probabilities pi and stochastic matrices V\ , Vg such that 

n 

W{xy\uv) = J2p^yA{x\u)VB{y\v) yu,v,x,y. (1) 

1=1 

A box is called independent if there exist stochastic matrices 
Va , Vb such that 

W{xy\uv) = VA{x\u)VB{y\v) Vw, v, x, y, 

i.e., such a box can be simulated without any resources at all. 
In the following we only consider boxes with binary outputs, 
i.e., X = y ^{Q, 1}. We define 

W^{x\u) ■.— '^^W{xy\uv) yu,v,x, 
y 

W^{y\v) ■.= ''^W{xy\uv) yu,v,y. 

X 

We call a box with binary outputs perfectly correlated for an 
input pair {u,v) E U x V if 

WiOl\uv) = WilO\uv) = 

and perfectly anti-correlated if 

W{00\uv) = W{ll\uv) = 0. 

An input u for Alice is called redundant if there exists u ^ u 
such that 

W(xy\uv) = W{xy\uv) Vx,y,w. 

D. Chemoff/Hoeffding Bounds 

We will use the following bounds attributed to Chernoff 
0Che521 and Hoeffding lHoe63|. 

Lemma 1. Let Xi, X2, . . . , Xn be independent random vari- 
ables with Pr[Xi = \] = Pi and Vv[Xi = 0] = 1 — p^. Let 
X = X]r=i -^i '^"'^ M = Then for any {) < 6 < 1 it 

holds that 

Vr[X > (1 + 5)^i] < exp(-(5V/3) , 
Pt[X < (1 - 5)fi] < exp(-(5V/2) ■ 

Lemma 2. Let Xi, X2, . . . , Xn be independent random vari- 
ables with Pr[Xi = \] = Pi and Pr[Xi = 0] = 1 — p^. Let 
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X — X]r=i '^"'^ ^^ ^ ^[-^]- Then for any Q < 5 < \ it 
holds that 

Vt[X > h + 5]< cxp(-2(5V") , 
Vt[X <h-5]< cxp(-2(5V") • 



E. Information Theory 

We will use the smoothed versions of the min-entropy 
fRW041 . For an event £, let Pxs\Y=y{x) be the probability 
that X = X and the event £ occurs, conditioned on y = y. 
We define 



H'oo(^l>") := max minmin(- logPx£|y=a(a;)). 

£:Pr(£)>l-e V x 



We will make use of the following lemma from 0Cac97l . 
IIMW97I . IIRW05I . 

Lemma 3. Let Pxyz be a probability distribution. For any 

e,e' > 0, 

H^^'(x|yz) > EUXY\z) - iog(|3;|) - iog(i/6') . 



The following lemma from [HR06I gives a lower bound for 
the smooth entropy of 7i-fold product distributions: 

Lemma 4. Let Px^^y" ■= PxiYi ■ ■ -Px^y^ be a probability 
distribution over A"" x 3^" and let e > 0. Then 

H:,(X"|y") > H(X"|r")-4Vnlog(l/e)log(|A'|) . 



F. Randomness Extraction and Privacy Amplification 

In information-theoretic and quantum key agreement, the 
final protocol step, where a highly secret key is generated 
from a longer but only weakly secure key, has been called 
privacy amplification. It is very closely related to randomness 
extraction; actually, it corresponds to the latter when viewed 
from a possible adversary's perspective. 



Definition 1. IICW79I A function f : X x S y is called a 
2-universal hash function if for all xo 7^ xi we have 



Pv[fixo,S) = f{x,,S)] < 



\y\ 



if S is uniform over S. 



Lemma 5 (Leftover hash lemma IIBBR88II . IIILL89II . 
IIBBCM95I ). Let f : X x S ^ y be a 2-universal hash 
function with m > 0. Let X be a random variable over X 
and let e > 0. If 

Hoo(X)-21og(l/e) >m, 

then ^\\{f{S, X), S) — {U, S)\\i < efor S andU independent 
and uniform over S and y. 



G. Typical Sequences 

In this section we will state and prove some basic results 
on typical sequences. More details on this topic can be found 
in the book by Csiszar and Korner iCKS 1 II . 

Definition 2. Let P be a probability distribution on X and 
e > 0. Then the set of e-typical sequences is defined as: 



7'n 



{a;" e A"' : Vx e A- |iV(a;|a;") - P{x)n\ < en 



and P{x) = ^ N{x\x'') = 0}, 

where N{x\x^) denotes the number of letters x in x". 

Definition 3. For a stochastic matrix W : X Z we define 
the set of W -typical sequences under the condition x"' € X" 
with constant e as 

T^Jx"") = {z" ■.yx,z\Nixz\x"z") - W^{z)N{x\x'')\ < en 
and W^{z) = ^ iV(x2|a;"z") = 0}. 

The following two well-known lemmas follow directly from 
Lemma [T] 

Lemma 6. P"(Tj?J > 1 - 21^-1 exp(-neV3) 

Lemma 7. W^^iT^^^ix"-)) > 1 - 2\X\\Z\cxp{-ne^ /3) 

Using the results above we will prove a lemma that we will 
use in the security proofs in this paper. The lemma is similar 
to Lemma 14 in IIWNI03I . Let V7 : A ^ Z be a (discrete 
memoryless) channel, let a G A" be an input such that the 
output distribution of a is not a convex combination of the 
other output distributions and let x",x" £ X" be sequences 
such that \{k : Xk ^ a and Xk — > nn. Then the 
lemma states that the output of the channel, given as input, 
will not be VF-typical conditioned on x" with overwhelming 
probability if exp(— K^n) is negligible. 

Lemma 8. Let W : X —> Z be a stochastic matrix and a € X 
such that for all probability distributions P over X such that 
P(a) = and 



Wa-Y.Pix)W, 



Let x" , x" e X" with dn (a;^" , i^" 



> S 



> Kn where la '■= {k : 



Xk — a}. If na '■— \Ia\ > ^n, then 

I^:„(r^,,(£"))<2exp(-neV3) 



where e 

Proof: Let D 



2|^A(5k. 



that 



n.- ^ 



— {k £ la : Xk ^ Xk}- Then it follows 

Wa 



Ua 



\D\ 
na 



Wa - -r^y^W^ 

D ^ 



(2) 



This implies that there exists 6 e Z such that 

1 



kela 
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Let e T^^(x"). Then it holds that 

\N{b\n/")- ^ W.,{b)\ = \Niab\x^wn - ^ 

> I E ^-^(^) - - \naWa{b) - N{ab\xV 

> -r-:=-rK6na — en 



> 



1 



2Z 



ndXna ■ 



We define independent binary random variables Xk, k G la, 
with distributions Pxjl) := W^^{b). Let X = J^keia^'^ 
and n := E[X] = J2keia ^et t := ^K5XnaH~^ 

(assuming ^ ^ 0). Using the Chemoff bound it follows that 



\X-^i\> 



1 



2\Z 

= Pr[\X - Ml > tfj] 



III. Impossibility 



■KdXUa 



Theorem 1. Let a local non-signaling box with binary output 
be defined by W -.U xV ^ {d, 1}^ such that 

W{xy\uv)=pVl{x\u)V^{y\v) + {I - p)VX{x\u)Vh{y\v) 

and there exists uo & U,vo & V and bo, bi G {0, 1} with: 

V2{0\uo) = Vi{l\uo) = bo 
V2{l\uo) = Vi{Q\uo) = l-bo 

V°{0\vo) = V^{l\vo) = b, 
V^{l\vo)^V°{0\vo) = l-b,, 

then there is no reduction of information-theoretically secure 
bit commitment to the box W (with noiseless communication 
only). 

Proof: We prove the statement by showing that one 
can securely implement such a box from noiseless com- 
munication and shared randomness alone. This would allow 
for bit commitment from noiseless communication which 
is impossible as mentioned above. The implementation just 
follows the definition of the box: Let A be the shared random 
bit. Alice on input u outputs with probability V^(0|u) 
and 1 with probability V^(l|w) = I - V^{Q\u). Bob on 
input V outputs b E {0,1} with probability Vg{b\v). This 
perfectly implements the behavior of the box. Furthermore, 
this implementation is secure, since Alice and Bob can get 
the same information (i.e. the shared randomness A) if they 
only have black-box access to W, if they always input uo and 
vo, respectively. ■ 

IV. Two Protocols 

We will now give two shghtly different protocols, which 
work for two different kinds of non-signaling boxes. 



A. Protocol I 

Informally, the first protocol works as follows: in the 
Commit protocol an honest Alice gives a fixed input to all her 
boxes, while Bob chooses his inputs randomly. Ahce appUes 
privacy amplification to the outputs of the boxes and uses 
the resulting key K to hide the bit B she wants to commit 
to. Alice then sends K (B B and the randonmess used for 
privacy amplification to Bob. In the Open protocol Alice sends 
her outputs from the boxes. Alice's input is chosen such that 
there is a statistical test that allows Bob to detect if Ahce has 
changed more than O(y^) output values while Bob has only 
limited information about the output of the boxes before the 
opening phase. A dishonest Ahce might still be able to change 
0{y/n) output values. To ensure that this is not possible, we 
use a linear code and let Alice send parity check bits of the 
output to Bob in the Commit protocol. If the minimal distance 
of the code is large enough, no two strings with the same parity 
check bits lie in a hamming sphere with radius proportional 
to ^/n. 

Let Alice and Bob share n identical non-signaling boxes 
given byVF:Z//xV^{0,l}^.ln our protocol, we will require 
Bob to choose his input uniformly from V. For an honest Bob 
and a potentially malicious Alice, we can define a stochastic 
matrix W : {0,1} xU {0,l}xV describing the probability 
of Bob's input and output values v and y, conditioned on 
Alice's input u and output x as 

■rtr, 1 N 1 W(xy\uv) 

if 7^ 0, and undefined otherwise. Furthermore, 

we will require an honest AUce to always input a fixed 
value Ua to the box. For an honest Alice, and a potentially 
malicious Bob that chooses his input v G {0, 1} freely, we 
can define random variables Xy, Yy depending on Bob's input 
that describe the output of Alice and Bob, respectively, i.e. 
with a joint distribution 

Px,Yjx,y) := W{xy\uav). 

The protocol below is secure if there exists a value a = 
{xa, Ua) such that the following condition is fulfilled: 

Condition 1. (1) There exists 6 > such that for all 
probability distributions P over {0, 1}^ with P{a) = it holds 
that 



> s . 



(2) There exists 7 > such that for all v gV it holds that 

H{Xy\Yy) > 7, 

i.e., the Shannon entropy of Alice's output given Bob's output 
is non-zero for all possible inputs of Bob. 

We label the inputs of Alice as {0, ...,|Z//| — 1}. Fur- 
thermore, we define the distribution of Ahce's output x if 
her input is Ua as P{x) := W^{x\ua) for all x G {0,1}. 
Let A := imin{P(a;), a; G {0,1}}. Let k be the security 
parameter, e := \\5k/n. Let d> 2k and let H be the parity 
check matrix of a hnear [n, Rn,d\-code with i? > (1 — 7). 
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Since we do not have to decode, this could be a random linear 
code chosen by Bob. Let I := n(l — R) — i^/nk — 3k. 
We choose k :— v?^"^, which implies that fc, \fnk g 0(n^/^) 
and fc, fc^/n, ne^ e It follows that ? e (7 + i? - 

l)n — 0(ri^/^). If n is big enough, we have I > 0. Let 
ext : {0, 1}* X {0, 1}" ^ {0, 1}' be a 2-universal hash 
function. We define syn(a;") :— H^x^. 

Commit(6'): 

. Bob chooses S^, {0, l}" 

• Alice and Bob input m" and w" component-wise to the 
boxes. Ahce gets a;" e {0, 1}" and Bob y" e {0, 1}". 

• Alice chooses rg/j{0,l}* and sends 
(s?/n(x"), r, 6' © ext(r, a;")) to Bob. 

Open(): 

• Alice sends Bob a;" and U. 

• Bob checks: 

- syn{x'^) is correct 

- b (B ext(r, a;") is correct 

- {{yi,Vl), {yn,Vn)) e ^((xi,Ua), ■•, (a;„,Ma)) 

• If all the checks pass successfully. Bob accepts and 
outputs 6', otherwise he rejects. 

B. Security 

Let u" := (ui,...,u„) be Alice's input to the 
boxes, let a;" := (a;i, . . . , a;„) be her outputs from the 
boxes and let (a;i,...,i„) be the values Alice 

sends to Bob in the opening phase. We define z" := 
((xi,ui), . . . , (x„,u„)) and z" := ((ii, Ua), • ■ ■ , (in, Wa))- 
Let r" ((yi, ui), . . . , (y„, u„)) be Bob's inputs and outputs. 

Lemma 9. TTie protocols Commit and Open satisfy the 
correctness condition. 

Proof: Bob always accepts Commit. If Alice follows the 
protocol, then syn{x") and 6' © ext(ri, u") are correct. From 
Lemma |7] it follows that 

Pr[r"er?Jz")]=W^,.(V^(z")) 

> 1 - 16|V|cxp(-neV3) , 
and from Lemma |6] it follows that 

Pr[x" eTp",]=P,"„(rp,,) 

> 1 - 4exp(-neV3) . 

Thus, Bob accepts Open with overwhelming probability and 
outputs b\ the value Alice was committed to. ■ 

Lemma 10. The protocol Commit satisfies the privacy con- 
dition with an error negligible in n. 

Proof: Let us assume that Alice is honest. Alice inputs 
Ua into the boxes as required by the protocol, while Bob can 
choose its input = (wi, . . . , w„) freely. We then define the 
random variables X" = X-^^ x . . . x Xy^^ and F" = x 
. . . X Y^^. Let £1 2^^. According to Lemma |4] it holds that 

H"^ > H(X"|r") -4\/^. 



Using Lemma [3] with get that 

H^J,^{X-\syn{X")Vn > - n(l - R) - log(l/ei) 

> "fn — n{l — R) — 4:Vnk — k 
= l + 2k . 

According to Lemma |5] Bob has no information about 
ext(ri, a;") except with probability 2ei + ei. ■ 

Lemma 11. //'d//(a;", i") > k, then the probability that Bob 
accepts i" is negligible in n. 

Proof: From dff{x'"-,x'"-) > k follows dff{z^\z^'^) > k. 
Let Ua := N{ua\u'^), la := {k : h = {xa,Ua)} and p := 
W^{xa\ua). For all w'"- e T^\, we have 

|7V(xa|w") — np\ < en — -XSk/n ■ n < —kp , 

4 8 

since A < p/2 and 6 < 1. We distinguish two cases: 
(1) na < {n — k/2): The expectation of N{{xa,Ua)\z^) is 
smaller than or equal to [n — ^)p. Since k'^/n e il(n^/^), it 
follows from Lemma [T] that with overwhelming probability 



N{iXa,Ua)\z'') < in 



But since Bob only accepts if i" G "Tpg, we have 



and the claim follows from Lemma |8] 

(2) Ua > {n — k/2): Then the expectation of A^((l — 
Xa,Ma)|z") is greater than or equal to {n — |)(1 — p). As 
fc^/n e fl{n^^^) Lemma [U implies that with overwhelming 
probability 

iV((l - Xa,ua)\zn > (^n - (1 - p) - ^(1 - p) 

5 

= n{l-p) - -k{l~p). 
But since Bob only accepts if a;" e T^p^, we have 
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A:(l-p) 



and the claim follows from Lemma |8] ■ 

Lemma 12. The protocol satisfies the binding condition with 
an error negligible in n. 

Proof: Any two strings s" ^ s" with s?/n(s") = s?/7i(s") 
have distance at least d. So at least one of the two strings has 
distance at least k from Alice's output x". The probability 
that Bob accepts this string in the opening phase is negligible 
according to lemma [TT] ■ 
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C. Protocol II 

Protocol I is not hiding if for every fixed input of Alice 
a dishonest Bob can choose an input such that he has per- 
fect information about Alice's output. This is the case for 
example with the above mentioned NL box. But, as shown in 
l|BCU+06l . this box allows for bit commitment. Therefore, we 
present a second protocol that allows to securely implement bit 
commitment for such boxes. The protocol works as follows: 
Alice gives random inputs to all her boxes. Then she applies 
privacy amplification to the string of inputs and uses the 
resulting key to hide the bit she is committed to. In the 
opening phase Alice sends all her inputs/outputs. Bob performs 
statistical tests on the input/output of Alice that allow him 
to detect if Alice has changed more than ^/n values. We 
use again parity check bits of a linear code to make sure 
that a dishonest Alice cannot change -y/n values except with 
negligible probability. 

Alice and Bob share n identical non-signaling boxes given 
hy W :U xV ^ {0, 1}^. We define the corresponding matrix 
W as in Section ITV-AI In the following we always assume that 
W^{x\u) ^ for all x £ {0, l},u e U. For the following 
protocol to be secure we require W to fulfill the following 
condition: 

Condition 2. There exist uo,ui G U, uq ^ ui, such 
that the set D :— {Womq , W^iui , Womo ; W^iui } contains 
at most one non-extreme point of couv{W), i.e., there 
is Co G {Omq, Imi, Ouo, lui} such that for all c S 
{Olio, lui, Owo, l'Ui}\{co} it holds that for all probability 
distributions P with P{c) — 
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We label the inputs of Alice as {0, . . . , — 1} and assume 
that liQ = and ui — 1. In the protocol, we will require 
Alice to choose her input uniformly from {0,1}, and Bob to 
choose his input uniformly from V. If both are honest, the 
joint distribution of the inputs and outputs of Alice and Bob 
is 



P{x,y,u,v) 



1 

2|V| 



W{xy\uv), 



0, 



if M e {0, 1} 

else. 



If Alice is honest, the joint distribution of her input and output 
is ^ 

^W^{x\u), if ue {0,1} 



Q{x,u) 



0, 



else. 



Let A := jmm{Q{x,u),{x,u) € {0,1}^}. Let po 
mm {W^{x\u),{x,u) G {0, 1}2}. Note that we assumed 
Po > and that obviously we also have po ^ |- Let ki be 
the security parameter, k2 :— fci(4po + l)/2po' e ■= j^Ski/n, 
d> ki + 2k2 + 1, I > and let H be the parity check matrix 
of a [n, i?n, (i]-linear code with Rn > n/2 + ^ki + 1/2. We 
choose ki := ri^^^ and I := n — 2n(l — R) —3ki. This implies 
ki,kl/n,ne^ G n{n^/^) and I G (2i?- l)n-0(n2/3). if „ is 
big enough, then I > 0. Let ext : {0, 1}* x {0, 1}" {0, 1}' 
be a 2-universal hash function. 

Commit(6'): 



• Alice chooses u" G_r {0, 1}", Bob chooses w" G/j V. 

• Alice and Bob input u" and component-wise to the 
boxes. Alice gets a;" G {0, 1}" and Bob G {0, 1}". 

• Alice chooses r2 G_r {0,1}* and sends 
{syn{u"), syn{x"'), r2, 6' ® ext(r2, a;")) to Bob. 

Open(): 

• Alice sends Bob u",a;" and bK 

• Bob checks: 

- syn{u"') and syn{x") are correct 

- ® ext(r2,u") is correct 

- {{yi,Vl), {yn,Vn)) G TV^ J{xi,Ul), .., {x„,Un)) 

- {{xi,Ui),...,{Xn,Un)) efg,: 

m If all the checks pass successfully. Bob accepts and 
outputs 6', otherwise he rejects. 

D. Security 

Let z" := {{xi,ui), . . . , (xrijUn)) be Alice's input and 
output, 5" := {{xi,ui), . . . , (i„,M„)) the values Alice sends 
to Bob in the opening phase and r" :— {{yi,vi), . . . , {yn, fn)) 
Bob's inputs and outputs. For all c G ({0, 1} x U) we define 
the sets Ic := {i : Zi = c}. 

Lemma 13. The protocols Commit and Open satisfy the 
correctness condition. 

Proof: Bob always accepts Commit. If Alice follows 
the protocol, then syn{u"-), synix^) and 6' © ext(r2, w") are 
correct. From Lemma [7] it follows that 

PrrGr^_^(z"))]==T4^..(V.(z")) 

> 1 -8|Z^||V|exp(-neV2) 

and from Lemma |6] it follows that 

Pr[2"GTQ"J=g"(TQ^,(2")) 

> 1 - 4|Zi| exp(-?ieV2) . 

Thus, Bob accepts Open with overwhelming probability and 
outputs U, the value Alice was committed to. ■ 

Lemma 14. The protocol Commit satisfies the privacy con- 
dition with an error negligible in n. 

Proof: Let us assume that Alice is honest. Since the box 
is non-signaling, Bob's values and are independent of 
[/". Since Alice chooses [/" uniformly from {0, 1}", we have 

Hoo(C/") = 

All the information Bob gets about U" is syn{U"^) and 
syn{X"). Let ei := 2~''^ . Using Lemma [3] we get 

ff^([/"|s2/n([/")sj/n(X")) > n - 2n(l - i?) - fci 

> / + 2fci . 

If follows from Lemma |5] that extracting I bits makes the key 
uniform with an error of at most 2ei = 2-2^''^. The statement 
follows. ■ 
The proof of the binding condition is slightly more involved. 
Because our boxes are non-signaling, Alice has the possibility 
of delaying her input to the box until the opening phase. 
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Hence, a general strategy for her is to give input to some 
of the boxes in the commit phase, and to delay the input to 
some of the boxes until the opening phase. And she may send 
incorrect values about her input/output to/from the boxes to 
Bob in the opening phase. Note that we can ignore the case 
where she does not give any input to some boxes, as she might 
as well just give input but ignore the output. 

Lemma 15. Ifdniz^^, 5") > fci, then the probability that Bob 
accepts z" is negligible. 

Proof: For all u;" G ^ it holds that 

\N {xu\w"') — nQ(x, u)\ < en = —XSki/n ■ n < — ki . 

4 64 

Since A < mmx.uQ{x,u)/A < 1/16 and S <1. 

We distinguish the following two cases: 
(1) There exists u' e {0, 1} such that N{u'\u") < n/2-fci/8: 
For all X G {0,1} the expectation of iV(xu'|z") is equal to 
{n/2 - ^)W'^{x\u'). Since kl/n e n{n'^^^) it follows from 
Lemma [T] that with overwhelming probability 

N{xu'\z^) < (I - h,)w^{x'\u') + ^k,W^{x\u') 

But since Bob only accepts if z" e ^, we have 
dniz^""' ,z^(>^') > -^ki and dniz^^"' , z'^^') > ^fci, and 
the claim follows from Lemma [8] 

(2) For all u e {0,1} we have \n/2 - N{u\u'')\ < fci/8: 
Since e^n € fl{n^^^) it follows from Lemma |7] that with 
overwhelming probability we have z" e Ju"")- Assume 
z" G T^^ ^{u"). There exists a value {x' , u')' e {0, 1}^ such 
that d// , z^='"' ) > jki. Therefore 

> nW^{x'\u')/2 ~ kiW^{x'\u')/8 - tn + ki/A 

> nW^(x'\u')/2 + —ki . 

64 

If there exists {x",u") ^ {x' ,u') e {0,1}^ such that 
, z^^""" ) > ^ki, then the claim follows from 
Lemma [8] Otherwise z" ^ T^^^. ■ 
Next, we will prove a technical lemma: 



Lemma 16. For any n it holds that, if k < np, 

(^^p'il-pY'^' < 2-2V+4p/=^ 



k 

E 

i=0 



Proof: Let Xi, X2, ■ ■ ■ , Xn be random variables with 
Pr[X, = 1] = p and Pr[X, = 0] = (1 - p). Let 
X = J2"=i'^i- Then using Lemma |2] and setting t :— np — k 



1=0 



p'(l -p)""' = Pr[X <k]< exp(-2tVn) 



Lemma 17. If Alice does not input any values to at least k2 
boxes before sending syn{x"') to Bob, then Bob does accept 
the opening of the protocol with negligible probability. 

Proof: Alice does not give any input to at least k2 boxes 
before sending a syndrome sq to Bob. Later she gives her 
inputs to the remaining k2 boxes and gets a random output 
Xi for each box. We know that any two strings s" 7^ s" with 
syn{s") = syn{s'^) have distance at least d > 2k2. We can 
bound the probability that the output string has distance at 
most ki to a string with syndrome sq by 

1=0 ^ ^ 

Note that since 4po + 1 > 1 and 2po < 1, we have po^2 > fci- 
So we can apply Lemma [16] and get an upper bound on this 
probability of 



. fci (4pn +1) 2 , Ai 

■ 2pg V n+4fciP0 ^ 



The statement now follows from Lemma [15] ■ 

Lemma 18. If Alice changes only ki values and delays only 
k2 inputs, then the protocol is binding. 

Proof: Any two input strings s" and s" with sq = 
syn(s") = syn(s") have distance at least d. If we ignore 
all the positions where Alice did not input anything to the 
box, s" and s" still have distance at least d — k2 > 2ki. ■ 

V. Tightness of our Results 

In this section we show that every non-signaling box with 
binary outputs that cannot be securely implemented from 
shared randomness allows to realise bit commitment with one 
of the above protocols. 

Lemma 19. Let W : U x V ^ {0, 1}^ be a non-signaling 
box with \U\ > 2. If there exists {xq,uo) such that either 
VV^ixaluo) ^ or W^oua = W^^m for some {xi,ui) ^ 
{xo,uo) with W^{xo\uo) < W^{xi\ui), then bit commitment 
can be implemented from W if and only if bit commitment can 
be implemented from the reduced box W that is obtained by 
removing input Uq from W. Furthermore, W is local if and 
only if W is local. 

Proof: We proof the statement by showing that Alice 
having access to W can simulate the behavior of W on input 
uo using local randomness: We first consider the case where 
Wooguo = W^mi with ui ^ uq and VV^ixilui) ^ 0. We 
define p := W'^{xo\uo)/W^{xi\ui). Then it holds that 

W{xQy\uov) ^ pW{xiy\uiv) 

for all y e {0, l},f G V. It follows from the non-signaUng 
conditions that 

W{{l~Xo)y\uov) = {l-p)W{xiy\uiv) + W{{l-XQ)y\uiv) 

for all y E {0, 1}, v E V. We assume xq — xi = 0. Then we 
can simulate W using W in the following way: Alice gives 
input Uq to W and gets output x. If x = 1, then Alice outputs 
1 . If x = 0, then Alice outputs with probability p and 1 with 
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probability 1 — p. If W^{xq\uo) = or Wquo = W^i«o' then 
Alice on input uq outputs with probability W^"^(0|uo) and 
1 with probabiUty VK^(l|uo). ■ 

Theorem 2. A non-signaling box W : {0, 1}^ {0, l}'^ that 
fulfills neither Condition\l\nor Condition^does not allow fi^r 
information-theoretically secure bit commitment (with noise- 
less communication only) and is local. 

Proof: We first consider the case where there exists 
(a;o,ito) such that W^^(xo|uo) = or W^^uo = W^^m 
for some [xi.ui) ^ (xo,uo)- We assume W^{xQ\uf)) < 
W^{xi\ui) and examine the box W that is obtained by 
removing input uq. W is obviously local. If W^(0|wi) = 
W^(l|ui), the box is independent and doesn't allow for bit 
commitment. If there is a perfectly correlated or anti-correlated 
input pair, the box doesn't allow for bit commitment according 
to Theorem [T] Otherwise bit commitment can be reduced to 
this box using Protocol I. From Lemma [19] it follows that 
we can implement bit commitment from W if and only if bit 
commitment can be implemented from W. Thus, the claim 
follows for all boxes with W^{xo\uo) = or Wxguo — Wx^m 
for some (a;i,ui) ^ {xo,uq). In the following we assume 
W'^ixaluo) for all xq, uq e {0, 1} and ^ W^' for all 
z,z' e {0, 1}2 with z ^ z'. 

(1) |extr(conv(VF))| > 3: Then the box fulfills Condition |2] 
and we can securely implement bit commitment using Protocol 
II. 

(2) I extr(conv(M^))| = 2: We first consider the case 
T^iuiW^Ou G D. Without loss of generality, we can assume 
u = 0. Then there exist < Aq , /io < 1 such that 

Woi = AoW^oo + (l-Ao)W^io, 

Wii = fJ-oWoQ + (1 - fJ-Q)Wio. 

We define Ai :— 1 — Aq and :— l — fio- Then it follows from 
the non-signaling conditions that for all {y,v) e {0, 1} x V 

W{Oy\lv) _ AoM^(0y|0t;) AiT4^(l?;|0i; ) 



W^{0\1) 
T4^(l?;|li;) 



M^^(0|0) 
^loWiOy\Ov) 



1^-4(111) ^^-4(010) 



We define 



bx := 



A.W^^(0|1) 

1^-4(2,10) ' 

W^{x\0) ' 



W^{1\0) ' 

^l^w{^y\Ov) 

14^-4(110) 



e {0,1}, 



e{0,l}. 



Then it follows from the non-signaling conditions that for 
all (y,w) e {0, 1} X V it holds that W{0y\0v) + W{ly\Ov) is 
equal to 

(ao + bo)W{Oy\Ov) + (ai + bi)W{ly\Ov) 

As we have have excluded the case Wio = Woo, it follows 
that Gf) + bo = fli + 6i = 1. Then the box is local 
as follows from W{xy\uv) = W^iO\0)V2{x\u)V^{y\v) + 
W^{l\0)V}{x\u)V^{y\v) with 



{x,u) 


VX{x\u) 


Vi{x\u) 


(0,0) 


1 





(0,1) 


ao 


ai 


(1,0) 





1 


(1,1) 


ba 


bi 



and 

Viiy\v) WiOy\Ov)/W^{0\0), 

V^iy\v) :=Ty(ly|0^;)/M^^(l|0) 

for all y,v e {0, 1}. If one of the inputs (0, 0) or (0, 1) is 
perfectly correlated or anti-correlated, then we cannot reduce 
bit commitment to this box (Theorem [Hi. Otherwise we can 
securely implement bit commitment from this box using 
Protocol I. 

Next, we consider the case Wxo,Wx'i G D, x,x' e {0,1}. 
We assume x = x' = 0. Then it holds that 

Wio = AooWoo + AoiWoi, 

Wii = MooW^oo + MioW^io- 

If there is u S {0, 1} such that for all v e {0, 1} the box is 
neither perfectly correlated nor perfectly anti-correlated for 
input (it, i>), then the box fulfills Condition [T] Otherwise, 
there must be vo,vi E {0, 1} such that the box is perfectly 
correlated or anti-correlated for both (0, vq) and (1, vi). Then 
it follows that Aoo = and /iqi = 0, which is a contradiction 
to our assumptions. 

The case | extr(conv(W^))| < 1 we have already excluded. 

■ 

In order to prove that we can reduce bit commitment to any 
box with binary outputs (and general input alphabets U and V) 
that cannot be securely implemented from shared randomness 
we need to give an alternative condition for the security of 
Protocol II. 

Condition 3. There exist uq, ui E U, uq ^ ui and xq, xi G 
{0, 1} such that the following two conditions hold: 
(1) WxfyuoiWxiui are extreme points of conv(VF), i.e., for 
all a € {{xo,uo), {xi,ui)} it holds that for all probability 
distributions P s.t. P{c) = 



> S. 



(2) Let c, c' G {(1 — Xo, Uo), (1 — Xi, ui)} with c ^ c'. Then 
for all probability distributions P such that P{c') > and 
P{c) — it holds that 



> S. 



To prove Protocol II secure for all boxes that fulfill Condi- 
tion [3] we replace Lemma [Tsl with the following lemma. We 
assume that {xo,uo) = (0,0) and (xi,ui) — (0,1). 

Lemma 20. Ifdniz", z") > fci, then the probability that Bob 
accepts z" is negligible in n. 

Proof: For all e T^, it holds that \N{xu\w'') - 
^W^{x\u)\ < en < -^ki. We distinguish the following two 
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(1) If there exists u' e {0, 1} such that iV(w>") < n/2 - 
fci/8, then the statement follows from the proof of Lemma [TS] 

(2) If |n/2 - N{u\u")\ < fci/8 for all u e {0, 1}, then it fol- 
lows from Lemma |2] that with overwhelming probability z" G 

(w"). If dH{z''"',S'°°) > 



'^w^.ei'^'^)- Assume 



ifci or (z^"! , z^"i ) > i/ci, then the claim follows from 
Lemma [8] and Condition [3] If \{i € ho : = 11}| > |fci, 
then the claim follows from Condition [3] and the proof of 
Lemma |8] as follows: Let D :— {k ^ Iiq : Zk ^ Zfe}. We use 
Condition [3] and replace (|2]i with 

\D\ 



10 



keiio 



\h,\ 

M 

\ho\ 



W 



10 



1 



keD 



5 > -hS/r 



We assume z" S ^. Then it follows as in the proof of 
Lemma [8] that W^"„(7^^(z")) is negligible. The same holds 
if \{i E 111 '■ Zi — 10}| > ^ki. In all other cases it follows 
that z" i T^^^. ■ 

Theorem 3. Bit Commitment can be reduced to any non- 
signaling box with binary outputs that cannot be securely 
implemented from shared randomness. 

Proof: : If < 2, then the statement follows from 
the proof of Theorem |2] Otherwise, we first eliminate the 
cases where there exists (a:o,uo) such that W^{xo\uq) = 
or Wxouo = Wx^m for some {xi,ui) ^ (xo,ito) by 
using Lemma [19] to reduce the box. Then we consider 
D := extr(conv(V[^)): In the case \D\ = 2 the statement 
is proven in the same way as in the proof of Theorem |2] 
The case \D\ > 3 is a little bit more involved: If there is 
Wiu , Wqu G D, then Condition |2] is fulfilled and we can 
implement bit commitment using Protocol II. Otherwise, we 
can either implement bit commitment using Protocol I or for 
every input u corresponding to an element of D there is an 
input V for Bob such that the box is perfectly correlated or 
anti-correlated. Let Wxgua G D- Without loss of generality 
we assume that W is perfectly correlated for input {uq,vo). 
Then there exist with rzn^z = 1 such that 

W^(l-a;o)«o = 



E 



There exists with ui ^ uq such that Xx^m > 0. We 

assume xq — xi — 0. We have VF(10|uoWo) = 0. This implies 
VF(00|uiUo) = 0. From the non-signaling conditions follows 
that W^(10|uiwo) = W{00\uovo) > 0. There exists vi & V 
such that (lii, i>i) is perfectly correlated or anti-correlated. We 
assume without loss of generality that {ui,vi) is perfectly 
correlated. This implies VF(00|uiUi) > and M^(10|uiUi) = 
0. From Xx^u^ > follows that W{10\uoVi) > 0. So we 
have Wouo,Wom £ D, W(lQ\u^vn) = W{lG\uivi) = 0, 
W(10|uiuo) > and W{lQ\mvi) > 0. Thus, Condition [3] is 
fulfilled. 



VI. Concluding Remarks 

We have shown that any non-signaling two-partite system 
with binary outputs can either be realized by shared random- 



ness or allows for bit commitment. This all-or-nothing result 
implies, in particular, that the classical measurement-outcome 
behavior of a two-qubit state can be used for bit commitment 
if it has no hidden-variable explanation. 

Obvious challenging open questions are whether a similar 
result holds for arbitrary output alphabets. Furthermore, it 
would be interesting to know under what circumstances (the 
stronger functionality of) oblivious transfer can be obtained. In 
certain settings, e.g., distributed information or noisy channels, 
bit commitment and oblivious transfer have turned out to be 
realizable from exactly the same starting points. 
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